b2c8bea64b348503eb9618360ec9ed7ea1c284083ac1fa7cedddb29050829a51

Analysis

max time kernel
130s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Size

669KB
MD5

cd6cfdb0250ba30d35dfde68dc112810
SHA1

f53a8f7c2a3e6de2fd3980fab58f85f94fe071dd
SHA256

b2c8bea64b348503eb9618360ec9ed7ea1c284083ac1fa7cedddb29050829a51
SHA512

ad88478b46f3d4c092020c50cb8e3ae222e066367d6fc4f22a69fd978422f02a7cbe9f053afc6e62c4d9a9163bbc277ebe161be8feb950bd1df4fe92137a8d9a
SSDEEP

12288:7syeVoo8ukpeeV24ihMpQnqr+cI3a72LXrY6x46UbR/qYglMi:7sNp6p5vihMpQnqrdX72LbY6x46uR/qR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oggllnkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djmima32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbgndoho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbfema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enpknplq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djipbbne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophjdehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djipbbne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbbdip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncanhaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppffec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlncla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laglkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laglkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohmepbki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaokbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oggllnkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbfema32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Addhbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjaiac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ophjdehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncanhaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpknplq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohaokbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjaiac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppffec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Addhbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckcbaf32.exe

Executes dropped EXE 27 IoCs

pid	Process
840	Bhmbqm32.exe
1876	Bddcenpi.exe
3352	Dlncla32.exe
1632	Laglkb32.exe
3132	Nmbhgjoi.exe
1236	Ohkijc32.exe
4616	Ohmepbki.exe
3960	Ophjdehd.exe
1264	Ohaokbfd.exe
3432	Oggllnkl.exe
4584	Pncanhaf.exe
1172	Pnenchoc.exe
3108	Ppffec32.exe
1132	Addhbo32.exe
2872	Bbmbgb32.exe
2464	Bnfoac32.exe
2432	Cnhlgc32.exe
2300	Cbfema32.exe
3296	Cjaiac32.exe
5032	Cjdfgc32.exe
4344	Ckcbaf32.exe
1880	Djipbbne.exe
1296	Dbbdip32.exe
2540	Djmima32.exe
4288	Dbgndoho.exe
3492	Enpknplq.exe
216	Eldlhckj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Addhbo32.exe	Ppffec32.exe
File created	C:\Windows\SysWOW64\Djdlpdhq.dll	Bbmbgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjaiac32.exe	Cbfema32.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnenchoc.exe	Pncanhaf.exe
File created	C:\Windows\SysWOW64\Ppffec32.exe	Pnenchoc.exe
File created	C:\Windows\SysWOW64\Gaobmboi.dll	Ophjdehd.exe
File opened for modification	C:\Windows\SysWOW64\Ppffec32.exe	Pnenchoc.exe
File opened for modification	C:\Windows\SysWOW64\Bnfoac32.exe	Bbmbgb32.exe
File created	C:\Windows\SysWOW64\Cjdfgc32.exe	Cjaiac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfgc32.exe	Cjaiac32.exe
File opened for modification	C:\Windows\SysWOW64\Dlncla32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Ohaokbfd.exe	Ophjdehd.exe
File opened for modification	C:\Windows\SysWOW64\Ohaokbfd.exe	Ophjdehd.exe
File created	C:\Windows\SysWOW64\Mmdcde32.dll	Dbgndoho.exe
File created	C:\Windows\SysWOW64\Ohkijc32.exe	Nmbhgjoi.exe
File created	C:\Windows\SysWOW64\Cnhlgc32.exe	Bnfoac32.exe
File created	C:\Windows\SysWOW64\Ckcbaf32.exe	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Laglkb32.exe	Dlncla32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbhgjoi.exe	Laglkb32.exe
File created	C:\Windows\SysWOW64\Jepidp32.dll	Laglkb32.exe
File created	C:\Windows\SysWOW64\Phbcfe32.dll	Cjaiac32.exe
File opened for modification	C:\Windows\SysWOW64\Pncanhaf.exe	Oggllnkl.exe
File created	C:\Windows\SysWOW64\Dafhdj32.dll	Pncanhaf.exe
File created	C:\Windows\SysWOW64\Djipbbne.exe	Ckcbaf32.exe
File created	C:\Windows\SysWOW64\Dbbdip32.exe	Djipbbne.exe
File opened for modification	C:\Windows\SysWOW64\Laglkb32.exe	Dlncla32.exe
File opened for modification	C:\Windows\SysWOW64\Oggllnkl.exe	Ohaokbfd.exe
File created	C:\Windows\SysWOW64\Pncanhaf.exe	Oggllnkl.exe
File opened for modification	C:\Windows\SysWOW64\Bbmbgb32.exe	Addhbo32.exe
File opened for modification	C:\Windows\SysWOW64\Enpknplq.exe	Dbgndoho.exe
File opened for modification	C:\Windows\SysWOW64\Eldlhckj.exe	Enpknplq.exe
File created	C:\Windows\SysWOW64\Apleaenp.dll	Enpknplq.exe
File created	C:\Windows\SysWOW64\Pjllddpj.dll	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
File created	C:\Windows\SysWOW64\Mmmiiidk.dll	Dlncla32.exe
File created	C:\Windows\SysWOW64\Hpjonehk.dll	Oggllnkl.exe
File opened for modification	C:\Windows\SysWOW64\Djmima32.exe	Dbbdip32.exe
File created	C:\Windows\SysWOW64\Cbfema32.exe	Cnhlgc32.exe
File created	C:\Windows\SysWOW64\Qoflodqh.dll	Djipbbne.exe
File created	C:\Windows\SysWOW64\Djmima32.exe	Dbbdip32.exe
File created	C:\Windows\SysWOW64\Eneilj32.dll	Ohmepbki.exe
File created	C:\Windows\SysWOW64\Bbmbgb32.exe	Addhbo32.exe
File created	C:\Windows\SysWOW64\Donloloo.dll	Ckcbaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckcbaf32.exe	Cjdfgc32.exe
File created	C:\Windows\SysWOW64\Enpknplq.exe	Dbgndoho.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Nqbpidem.dll	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Mbnjicfj.dll	Ppffec32.exe
File opened for modification	C:\Windows\SysWOW64\Ophjdehd.exe	Ohmepbki.exe
File created	C:\Windows\SysWOW64\Oggllnkl.exe	Ohaokbfd.exe
File created	C:\Windows\SysWOW64\Lokceimi.dll	Addhbo32.exe
File created	C:\Windows\SysWOW64\Jnbecgdc.dll	Cbfema32.exe
File created	C:\Windows\SysWOW64\Dbgndoho.exe	Djmima32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
File opened for modification	C:\Windows\SysWOW64\Ohmepbki.exe	Ohkijc32.exe
File created	C:\Windows\SysWOW64\Ophjdehd.exe	Ohmepbki.exe
File created	C:\Windows\SysWOW64\Ohmepbki.exe	Ohkijc32.exe
File opened for modification	C:\Windows\SysWOW64\Cbfema32.exe	Cnhlgc32.exe
File created	C:\Windows\SysWOW64\Cjaiac32.exe	Cbfema32.exe
File opened for modification	C:\Windows\SysWOW64\Dbgndoho.exe	Djmima32.exe
File created	C:\Windows\SysWOW64\Eldlhckj.exe	Enpknplq.exe
File created	C:\Windows\SysWOW64\Nmbhgjoi.exe	Laglkb32.exe
File created	C:\Windows\SysWOW64\Dfjood32.dll	Nmbhgjoi.exe
File created	C:\Windows\SysWOW64\Lhgdahgp.dll	Pnenchoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3136	216	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laglkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ophjdehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgdahgp.dll"	Pnenchoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbfema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbcfe32.dll"	Cjaiac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbfema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djipbbne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjjj32.dll"	Djmima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmbhgjoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ophjdehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Addhbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflodqh.dll"	Djipbbne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepidp32.dll"	Laglkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjonehk.dll"	Oggllnkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnhlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djmima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohaokbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncanhaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnhlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjaiac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enpknplq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfckpa32.dll"	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckcbaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdlpdhq.dll"	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmiiidk.dll"	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laglkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohaokbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppffec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqfnh32.dll"	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mooqfmpj.dll"	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckcbaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djipbbne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneilj32.dll"	Ohmepbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apleaenp.dll"	Enpknplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lokceimi.dll"	Addhbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcde32.dll"	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbecgdc.dll"	Cbfema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enpknplq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjood32.dll"	Nmbhgjoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjaiac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 840	3076	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe	84
PID 3076 wrote to memory of 840	3076	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe	84
PID 3076 wrote to memory of 840	3076	NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe	84
PID 840 wrote to memory of 1876	840	Bhmbqm32.exe	85
PID 840 wrote to memory of 1876	840	Bhmbqm32.exe	85
PID 840 wrote to memory of 1876	840	Bhmbqm32.exe	85
PID 1876 wrote to memory of 3352	1876	Bddcenpi.exe	86
PID 1876 wrote to memory of 3352	1876	Bddcenpi.exe	86
PID 1876 wrote to memory of 3352	1876	Bddcenpi.exe	86
PID 3352 wrote to memory of 1632	3352	Dlncla32.exe	87
PID 3352 wrote to memory of 1632	3352	Dlncla32.exe	87
PID 3352 wrote to memory of 1632	3352	Dlncla32.exe	87
PID 1632 wrote to memory of 3132	1632	Laglkb32.exe	90
PID 1632 wrote to memory of 3132	1632	Laglkb32.exe	90
PID 1632 wrote to memory of 3132	1632	Laglkb32.exe	90
PID 3132 wrote to memory of 1236	3132	Nmbhgjoi.exe	91
PID 3132 wrote to memory of 1236	3132	Nmbhgjoi.exe	91
PID 3132 wrote to memory of 1236	3132	Nmbhgjoi.exe	91
PID 1236 wrote to memory of 4616	1236	Ohkijc32.exe	92
PID 1236 wrote to memory of 4616	1236	Ohkijc32.exe	92
PID 1236 wrote to memory of 4616	1236	Ohkijc32.exe	92
PID 4616 wrote to memory of 3960	4616	Ohmepbki.exe	94
PID 4616 wrote to memory of 3960	4616	Ohmepbki.exe	94
PID 4616 wrote to memory of 3960	4616	Ohmepbki.exe	94
PID 3960 wrote to memory of 1264	3960	Ophjdehd.exe	95
PID 3960 wrote to memory of 1264	3960	Ophjdehd.exe	95
PID 3960 wrote to memory of 1264	3960	Ophjdehd.exe	95
PID 1264 wrote to memory of 3432	1264	Ohaokbfd.exe	96
PID 1264 wrote to memory of 3432	1264	Ohaokbfd.exe	96
PID 1264 wrote to memory of 3432	1264	Ohaokbfd.exe	96
PID 3432 wrote to memory of 4584	3432	Oggllnkl.exe	97
PID 3432 wrote to memory of 4584	3432	Oggllnkl.exe	97
PID 3432 wrote to memory of 4584	3432	Oggllnkl.exe	97
PID 4584 wrote to memory of 1172	4584	Pncanhaf.exe	98
PID 4584 wrote to memory of 1172	4584	Pncanhaf.exe	98
PID 4584 wrote to memory of 1172	4584	Pncanhaf.exe	98
PID 1172 wrote to memory of 3108	1172	Pnenchoc.exe	99
PID 1172 wrote to memory of 3108	1172	Pnenchoc.exe	99
PID 1172 wrote to memory of 3108	1172	Pnenchoc.exe	99
PID 3108 wrote to memory of 1132	3108	Ppffec32.exe	101
PID 3108 wrote to memory of 1132	3108	Ppffec32.exe	101
PID 3108 wrote to memory of 1132	3108	Ppffec32.exe	101
PID 1132 wrote to memory of 2872	1132	Addhbo32.exe	102
PID 1132 wrote to memory of 2872	1132	Addhbo32.exe	102
PID 1132 wrote to memory of 2872	1132	Addhbo32.exe	102
PID 2872 wrote to memory of 2464	2872	Bbmbgb32.exe	103
PID 2872 wrote to memory of 2464	2872	Bbmbgb32.exe	103
PID 2872 wrote to memory of 2464	2872	Bbmbgb32.exe	103
PID 2464 wrote to memory of 2432	2464	Bnfoac32.exe	104
PID 2464 wrote to memory of 2432	2464	Bnfoac32.exe	104
PID 2464 wrote to memory of 2432	2464	Bnfoac32.exe	104
PID 2432 wrote to memory of 2300	2432	Cnhlgc32.exe	105
PID 2432 wrote to memory of 2300	2432	Cnhlgc32.exe	105
PID 2432 wrote to memory of 2300	2432	Cnhlgc32.exe	105
PID 2300 wrote to memory of 3296	2300	Cbfema32.exe	111
PID 2300 wrote to memory of 3296	2300	Cbfema32.exe	111
PID 2300 wrote to memory of 3296	2300	Cbfema32.exe	111
PID 3296 wrote to memory of 5032	3296	Cjaiac32.exe	106
PID 3296 wrote to memory of 5032	3296	Cjaiac32.exe	106
PID 3296 wrote to memory of 5032	3296	Cjaiac32.exe	106
PID 5032 wrote to memory of 4344	5032	Cjdfgc32.exe	107
PID 5032 wrote to memory of 4344	5032	Cjdfgc32.exe	107
PID 5032 wrote to memory of 4344	5032	Cjdfgc32.exe	107
PID 4344 wrote to memory of 1880	4344	Ckcbaf32.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cd6cfdb0250ba30d35dfde68dc112810.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\Bhmbqm32.exe
  C:\Windows\system32\Bhmbqm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\Bddcenpi.exe
    C:\Windows\system32\Bddcenpi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\Dlncla32.exe
      C:\Windows\system32\Dlncla32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Windows\SysWOW64\Laglkb32.exe
        
        C:\Windows\system32\Laglkb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\Nmbhgjoi.exe
        
        C:\Windows\system32\Nmbhgjoi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ohmepbki.exe
        
        C:\Windows\system32\Ohmepbki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Oggllnkl.exe
        
        C:\Windows\system32\Oggllnkl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Pncanhaf.exe
        
        C:\Windows\system32\Pncanhaf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Addhbo32.exe
        
        C:\Windows\system32\Addhbo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Cbfema32.exe
        
        C:\Windows\system32\Cbfema32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Cjaiac32.exe
        
        C:\Windows\system32\Cjaiac32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296

C:\Windows\SysWOW64\Cjdfgc32.exe
C:\Windows\system32\Cjdfgc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\Ckcbaf32.exe
  C:\Windows\system32\Ckcbaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\Djipbbne.exe
    C:\Windows\system32\Djipbbne.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1880
  - - C:\Windows\SysWOW64\Dbbdip32.exe
      C:\Windows\system32\Dbbdip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:1296
    - - C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
      - C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Enpknplq.exe
        
        C:\Windows\system32\Enpknplq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        8⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 412
        9⤵
        Program crash
        
        PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 216 -ip 216
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Addhbo32.exe

Filesize
669KB

MD5
44e94b3984bbceec259b64d313037649

SHA1
e18ec73cee77bb4e0660c1fecf87a35b68f5e17b

SHA256
bca2d422ff84f8f01d54451067c0000dfecf06dcf1b100238cc0053dea5931b1

SHA512
43781285c790dc23387786b98aef8fa1ec1c057a04e314bff24de47389e5a2299abe954873131aac5d083a951595515565216197678f4ec3ec341a955b43540f

Download Submit
C:\Windows\SysWOW64\Addhbo32.exe

Filesize
669KB

MD5
44e94b3984bbceec259b64d313037649

SHA1
e18ec73cee77bb4e0660c1fecf87a35b68f5e17b

SHA256
bca2d422ff84f8f01d54451067c0000dfecf06dcf1b100238cc0053dea5931b1

SHA512
43781285c790dc23387786b98aef8fa1ec1c057a04e314bff24de47389e5a2299abe954873131aac5d083a951595515565216197678f4ec3ec341a955b43540f

Download Submit
C:\Windows\SysWOW64\Bbmbgb32.exe

Filesize
669KB

MD5
1e1f56db2d2b731fb0517e9ec7c4b5bd

SHA1
21f76093187eb5197c6ff422967ac868a654b821

SHA256
6bffddd0e4591ffaa5e8bfd20ddbedb1806e93803093758dd60e621c0878544a

SHA512
dffccca7b53c51c20a5edb6ffb67c73a69d13c7107202dc0f2e438a8017a76a7cb9dccf4f1dd5422d1946ad545f950a97d9917bfcdb0fbdfa71b3187f6b0b5f4

Download Submit
C:\Windows\SysWOW64\Bbmbgb32.exe

Filesize
669KB

MD5
1e1f56db2d2b731fb0517e9ec7c4b5bd

SHA1
21f76093187eb5197c6ff422967ac868a654b821

SHA256
6bffddd0e4591ffaa5e8bfd20ddbedb1806e93803093758dd60e621c0878544a

SHA512
dffccca7b53c51c20a5edb6ffb67c73a69d13c7107202dc0f2e438a8017a76a7cb9dccf4f1dd5422d1946ad545f950a97d9917bfcdb0fbdfa71b3187f6b0b5f4

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
669KB

MD5
890056692d0a566b32e4d66c7f594bdf

SHA1
68acb3f2b333e8bad4bfe5709deab385a4f966a8

SHA256
568635e6889cc24e606294f39da7cba18d8113c7828f3e8804d54eb66bd37354

SHA512
1e2b4a07d50996433cdb8a07d8b80ff7ed3f0bdd6dc27209f1add15408843f6edfeb3d1e147aeb79e000d2fdc42b8cee292718155f6cd6fce4f096e4b0cb8a41

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
669KB

MD5
890056692d0a566b32e4d66c7f594bdf

SHA1
68acb3f2b333e8bad4bfe5709deab385a4f966a8

SHA256
568635e6889cc24e606294f39da7cba18d8113c7828f3e8804d54eb66bd37354

SHA512
1e2b4a07d50996433cdb8a07d8b80ff7ed3f0bdd6dc27209f1add15408843f6edfeb3d1e147aeb79e000d2fdc42b8cee292718155f6cd6fce4f096e4b0cb8a41

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
669KB

MD5
4edae934532d4a8764a161725778e1d6

SHA1
13dd0aa4ada89f9b07c5d36ea68fac33310214fb

SHA256
821f6860686904150a7108d6344d8a1624f487de4d36764f0ce2d72ba77732a4

SHA512
402f50efcc5be98f099d1a1b60ebd27382d26fccc67257725bc4a96ebbc336973e60c6c8f86e2e6666e0893d09228e80070c610790d1aff81edb0f9b447dea59

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
669KB

MD5
4edae934532d4a8764a161725778e1d6

SHA1
13dd0aa4ada89f9b07c5d36ea68fac33310214fb

SHA256
821f6860686904150a7108d6344d8a1624f487de4d36764f0ce2d72ba77732a4

SHA512
402f50efcc5be98f099d1a1b60ebd27382d26fccc67257725bc4a96ebbc336973e60c6c8f86e2e6666e0893d09228e80070c610790d1aff81edb0f9b447dea59

Download Submit
C:\Windows\SysWOW64\Bnfoac32.exe

Filesize
669KB

MD5
6d63df33df760cc5c2234577e68e952a

SHA1
78263c6486959d2bcb556f21ac6516a6c60dc9a9

SHA256
d4e2b5d1ea47adfd991932bdc8fd6b520b97725b462485671a1fb01019dd91ed

SHA512
2e7d51576ab4d271720539b2dc2acb1bb199574e3352bc1cd72e6d61057f5d21e61fcbd41b06ee99b839c4139ba809862f0953bae1a0a8e934313f9043c68323

Download Submit
C:\Windows\SysWOW64\Bnfoac32.exe

Filesize
669KB

MD5
6d63df33df760cc5c2234577e68e952a

SHA1
78263c6486959d2bcb556f21ac6516a6c60dc9a9

SHA256
d4e2b5d1ea47adfd991932bdc8fd6b520b97725b462485671a1fb01019dd91ed

SHA512
2e7d51576ab4d271720539b2dc2acb1bb199574e3352bc1cd72e6d61057f5d21e61fcbd41b06ee99b839c4139ba809862f0953bae1a0a8e934313f9043c68323

Download Submit
C:\Windows\SysWOW64\Cbfema32.exe

Filesize
669KB

MD5
2f7476c572413dd989fbc6e250864029

SHA1
e630e7f7ec90e41678f4b20d34159c19aabe0c84

SHA256
841b183368a7a848791f0029f71d727c8574d48ba0c98da04d4b20092dd419ef

SHA512
11e4f3c6b824f31448cd74692caefa8c54d40b1265da3a4919c7d19661cc1e5e98e9da9f9509a988405ef87366b4a4ffc73962b0e50c02141cd75341a456049f

Download Submit
C:\Windows\SysWOW64\Cbfema32.exe

Filesize
669KB

MD5
2f7476c572413dd989fbc6e250864029

SHA1
e630e7f7ec90e41678f4b20d34159c19aabe0c84

SHA256
841b183368a7a848791f0029f71d727c8574d48ba0c98da04d4b20092dd419ef

SHA512
11e4f3c6b824f31448cd74692caefa8c54d40b1265da3a4919c7d19661cc1e5e98e9da9f9509a988405ef87366b4a4ffc73962b0e50c02141cd75341a456049f

Download Submit
C:\Windows\SysWOW64\Cjaiac32.exe

Filesize
669KB

MD5
b76e4ad977a0194a8d5ae124da914fbe

SHA1
0388c89cb3de6b577cfc86770af0089e9c64d373

SHA256
8daf647d1352870a1b7a97682bdf5103c92ef74ecdc86c65d6074ef0c31c1d0f

SHA512
c2112fdba34ee58c954a3d2656309cfdb1af6119011d8e60550c6a032ec46bae29940221dbf6deccf64750bf6646f03f63b1e4bf1c0db94ba640ce2ee1f3ed06

Download Submit
C:\Windows\SysWOW64\Cjaiac32.exe

Filesize
669KB

MD5
b76e4ad977a0194a8d5ae124da914fbe

SHA1
0388c89cb3de6b577cfc86770af0089e9c64d373

SHA256
8daf647d1352870a1b7a97682bdf5103c92ef74ecdc86c65d6074ef0c31c1d0f

SHA512
c2112fdba34ee58c954a3d2656309cfdb1af6119011d8e60550c6a032ec46bae29940221dbf6deccf64750bf6646f03f63b1e4bf1c0db94ba640ce2ee1f3ed06

Download Submit
C:\Windows\SysWOW64\Cjdfgc32.exe

Filesize
669KB

MD5
44e01c43e4091213c2b46631c3a1859e

SHA1
8fe89b866bbb6caaeaa7b735e92d0f9d06dd3787

SHA256
6cfd0cf85f6ec7ffb20cc2aaa3e83f491eeabaa524c5965dfd81c72dc60dd523

SHA512
e4f1086b9892aea2c6e9521f0de201a151dba0ad04d0afb1173c8ee3c85070bb70d19b99e5952827299d04eb2b9102f93a9070efa00e1c8f7077e49dd2a20449

Download Submit
C:\Windows\SysWOW64\Cjdfgc32.exe

Filesize
669KB

MD5
44e01c43e4091213c2b46631c3a1859e

SHA1
8fe89b866bbb6caaeaa7b735e92d0f9d06dd3787

SHA256
6cfd0cf85f6ec7ffb20cc2aaa3e83f491eeabaa524c5965dfd81c72dc60dd523

SHA512
e4f1086b9892aea2c6e9521f0de201a151dba0ad04d0afb1173c8ee3c85070bb70d19b99e5952827299d04eb2b9102f93a9070efa00e1c8f7077e49dd2a20449

Download Submit
C:\Windows\SysWOW64\Ckcbaf32.exe

Filesize
669KB

MD5
915b3f1ac80f3d065eee0b106d64d654

SHA1
abb322ba6b24261440d7e12299d5b8f9be8f51fe

SHA256
1149acf8079592651c337e205577f211ce4e9b351ae22db1f29f9ab3695c00c4

SHA512
a8c701e3ffc2a12bc4a21657214e62544775c54eb8144da9b29988cf2832630b44768730a0d7f391a6099ab810d2244fac73442af5eee5a841db6d50a30709b0

Download Submit
C:\Windows\SysWOW64\Ckcbaf32.exe

Filesize
669KB

MD5
915b3f1ac80f3d065eee0b106d64d654

SHA1
abb322ba6b24261440d7e12299d5b8f9be8f51fe

SHA256
1149acf8079592651c337e205577f211ce4e9b351ae22db1f29f9ab3695c00c4

SHA512
a8c701e3ffc2a12bc4a21657214e62544775c54eb8144da9b29988cf2832630b44768730a0d7f391a6099ab810d2244fac73442af5eee5a841db6d50a30709b0

Download Submit
C:\Windows\SysWOW64\Cnhlgc32.exe

Filesize
669KB

MD5
32f335f70e4903f45bd38d66861f5d17

SHA1
55b1dc84c84e59b959afdaaa948081c5c9383e39

SHA256
fc039b96ccf301ead9e9dd5e94f09acd9081b7fde1518ae868a88b1332cfebc3

SHA512
822c5ac8ef3b725e3163a2803d42a4b7a2870f646a87504d87547e0ecc89319615561477e2c269356e9dfdc2d8ab1316c91462714c1dc2a2d53d3d178572a11e

Download Submit
C:\Windows\SysWOW64\Cnhlgc32.exe

Filesize
669KB

MD5
32f335f70e4903f45bd38d66861f5d17

SHA1
55b1dc84c84e59b959afdaaa948081c5c9383e39

SHA256
fc039b96ccf301ead9e9dd5e94f09acd9081b7fde1518ae868a88b1332cfebc3

SHA512
822c5ac8ef3b725e3163a2803d42a4b7a2870f646a87504d87547e0ecc89319615561477e2c269356e9dfdc2d8ab1316c91462714c1dc2a2d53d3d178572a11e

Download Submit
C:\Windows\SysWOW64\Dbbdip32.exe

Filesize
669KB

MD5
1e84affab4eeba8b6ac716004a7aa0e1

SHA1
bd85406b6e86e5862cd896fd75b2dc7f039fa173

SHA256
36fa3aac4b927b3bdf44f1c29bf762ee8a3ae6c64326786c027e01436769bdc6

SHA512
7cccb23d52c004645555e59232921599f201514c807f176ded8426289017fd3039eb33476b4a1a2555c0e51779b03ec87980f3a21d1507eb25de5d1a316b3222

Download Submit
C:\Windows\SysWOW64\Dbbdip32.exe

Filesize
669KB

MD5
1e84affab4eeba8b6ac716004a7aa0e1

SHA1
bd85406b6e86e5862cd896fd75b2dc7f039fa173

SHA256
36fa3aac4b927b3bdf44f1c29bf762ee8a3ae6c64326786c027e01436769bdc6

SHA512
7cccb23d52c004645555e59232921599f201514c807f176ded8426289017fd3039eb33476b4a1a2555c0e51779b03ec87980f3a21d1507eb25de5d1a316b3222

Download Submit
C:\Windows\SysWOW64\Dbgndoho.exe

Filesize
669KB

MD5
ae971a155330bd34a98046992be08a5a

SHA1
48130a0f9d0a35e0d3d31410345acefb5135869a

SHA256
be6bf563251b1eeb4df0e0a5b97625b2ce55a99292aac6f4f76bd8f70f3e5cfc

SHA512
a82d6591ca6cb4e5fc00f1411adddbda7d69156f2055fcc614098d924e93ca8523e3273581e5bec67370593bf366dd361c185a48a1313af13ce0c511c212203c

Download Submit
C:\Windows\SysWOW64\Dbgndoho.exe

Filesize
669KB

MD5
ae971a155330bd34a98046992be08a5a

SHA1
48130a0f9d0a35e0d3d31410345acefb5135869a

SHA256
be6bf563251b1eeb4df0e0a5b97625b2ce55a99292aac6f4f76bd8f70f3e5cfc

SHA512
a82d6591ca6cb4e5fc00f1411adddbda7d69156f2055fcc614098d924e93ca8523e3273581e5bec67370593bf366dd361c185a48a1313af13ce0c511c212203c

Download Submit
C:\Windows\SysWOW64\Djipbbne.exe

Filesize
669KB

MD5
d07f97db7e46221e5cf709df4ac583fd

SHA1
a2e7adc1232745c8e01728722ff3ac477bba4a41

SHA256
2e88b0f4f505135bedd8c80fb5ca0f2332aed7083dc5e6f47e1e78355cd07539

SHA512
5806e9a3caa03159a90eee43856b9be5aa4cac60da6400ab6d1d93f29152187418aec5ed3bd09d699f34fcf59d0d6f26935e6c9bd8031dfb48147352c9b3851f

Download Submit
C:\Windows\SysWOW64\Djipbbne.exe

Filesize
669KB

MD5
d07f97db7e46221e5cf709df4ac583fd

SHA1
a2e7adc1232745c8e01728722ff3ac477bba4a41

SHA256
2e88b0f4f505135bedd8c80fb5ca0f2332aed7083dc5e6f47e1e78355cd07539

SHA512
5806e9a3caa03159a90eee43856b9be5aa4cac60da6400ab6d1d93f29152187418aec5ed3bd09d699f34fcf59d0d6f26935e6c9bd8031dfb48147352c9b3851f

Download Submit
C:\Windows\SysWOW64\Djmima32.exe

Filesize
669KB

MD5
4d160b3acbb47ad4e5e974893e845652

SHA1
c0933ed048c6c919320a375f1eaa01da3cc9164b

SHA256
542cc2a0365a684dadde8033d0a22522f00a7ab2901765f2092eee3583a2e1c6

SHA512
c1f1c3ffa3dadc8cc1a2b62e68aff52e7b6209034e74192f4791827c9c9895a52dcc69b4f4dba5e29d19b9a75ae4d3bbfde3b761fee81f1baeff72e5d495b18a

Download Submit
C:\Windows\SysWOW64\Djmima32.exe

Filesize
669KB

MD5
4d160b3acbb47ad4e5e974893e845652

SHA1
c0933ed048c6c919320a375f1eaa01da3cc9164b

SHA256
542cc2a0365a684dadde8033d0a22522f00a7ab2901765f2092eee3583a2e1c6

SHA512
c1f1c3ffa3dadc8cc1a2b62e68aff52e7b6209034e74192f4791827c9c9895a52dcc69b4f4dba5e29d19b9a75ae4d3bbfde3b761fee81f1baeff72e5d495b18a

Download Submit
C:\Windows\SysWOW64\Dlncla32.exe

Filesize
669KB

MD5
f02c5410dcc326dd87d33b92f7a42475

SHA1
8cada37fc8eacac159f5ca13fe03bc56e04b0d12

SHA256
773366a3ee1f177c3a882a43be5e0270e3927eb99184b3affdf643f2b025f1d3

SHA512
446edc1ed4e4d7338923d33035731519bc8c48f24a84bd0d5cf2e48746ae53992a60324637343547e458af3832ccc7276a12f6cff754f6344daa1ee5175a1504

Download Submit
C:\Windows\SysWOW64\Dlncla32.exe

Filesize
669KB

MD5
f02c5410dcc326dd87d33b92f7a42475

SHA1
8cada37fc8eacac159f5ca13fe03bc56e04b0d12

SHA256
773366a3ee1f177c3a882a43be5e0270e3927eb99184b3affdf643f2b025f1d3

SHA512
446edc1ed4e4d7338923d33035731519bc8c48f24a84bd0d5cf2e48746ae53992a60324637343547e458af3832ccc7276a12f6cff754f6344daa1ee5175a1504

Download Submit
C:\Windows\SysWOW64\Eldlhckj.exe

Filesize
669KB

MD5
9206fe1bd37abc03a3055d5b9475f3cd

SHA1
fc89182e0f0b5b335f70953ef8334911c6f50f9a

SHA256
a7561e258814673964fb45b419a113f954d168e722ee0c57f96bde02c9116331

SHA512
8a82ee7d195c766ffbbc801110b7f63d60e9f01421d6eadb88c2d3fca6b6bf61481f854de8e3bef9aa2a3562abb3469a970602d79002d4624982b1e9a966aaab

Download Submit
C:\Windows\SysWOW64\Eldlhckj.exe

Filesize
669KB

MD5
9206fe1bd37abc03a3055d5b9475f3cd

SHA1
fc89182e0f0b5b335f70953ef8334911c6f50f9a

SHA256
a7561e258814673964fb45b419a113f954d168e722ee0c57f96bde02c9116331

SHA512
8a82ee7d195c766ffbbc801110b7f63d60e9f01421d6eadb88c2d3fca6b6bf61481f854de8e3bef9aa2a3562abb3469a970602d79002d4624982b1e9a966aaab

Download Submit
C:\Windows\SysWOW64\Enpknplq.exe

Filesize
669KB

MD5
513e1c1b7632ccf1f7f859dbe704a510

SHA1
4c1b70f06baca6d74bb9fbab5803ffae1e2952e6

SHA256
09c799aaddfe4e334f1d1a95c575261c2ab7722e84814b6fc52b4730c9c26d6f

SHA512
c26f817e093506085d0007d7b3e3887cbf73a753d563790e3e01000ad10aaaa94420ff2a05b4062afc325bc4377668e74d7deb5e77a52264a4a3c8e4853d9620

Download Submit
C:\Windows\SysWOW64\Enpknplq.exe

Filesize
669KB

MD5
513e1c1b7632ccf1f7f859dbe704a510

SHA1
4c1b70f06baca6d74bb9fbab5803ffae1e2952e6

SHA256
09c799aaddfe4e334f1d1a95c575261c2ab7722e84814b6fc52b4730c9c26d6f

SHA512
c26f817e093506085d0007d7b3e3887cbf73a753d563790e3e01000ad10aaaa94420ff2a05b4062afc325bc4377668e74d7deb5e77a52264a4a3c8e4853d9620

Download Submit
C:\Windows\SysWOW64\Jepidp32.dll

Filesize
7KB

MD5
6c90887f2792f47e69d3e3f12957b4c0

SHA1
2a99cce8edf10b4fe022ebf02128833004bef25a

SHA256
7fcdbc1c8f5ad8271e4d737463bfebc59cb8888d01dd02d7bef22022c8251e8b

SHA512
40225e0c9fdb2e3503875f4993713a42a21f2b50e73ff0df8e486342499898d817812b1e23ba65858d15cc1395e7cafd545043da0ec7807b1575ff0f826c50a7

Download Submit
C:\Windows\SysWOW64\Laglkb32.exe

Filesize
669KB

MD5
f02c5410dcc326dd87d33b92f7a42475

SHA1
8cada37fc8eacac159f5ca13fe03bc56e04b0d12

SHA256
773366a3ee1f177c3a882a43be5e0270e3927eb99184b3affdf643f2b025f1d3

SHA512
446edc1ed4e4d7338923d33035731519bc8c48f24a84bd0d5cf2e48746ae53992a60324637343547e458af3832ccc7276a12f6cff754f6344daa1ee5175a1504

Download Submit
C:\Windows\SysWOW64\Laglkb32.exe

Filesize
669KB

MD5
baa515d3985141ad1406997adde0ae5b

SHA1
231ca2132003ceb78ed7084d8ae8ae8c92a4c424

SHA256
f149859743104c133b904948deea2429c97edbd8e8f7d5efba2a334ea894de1c

SHA512
1670793f0c9a77f72b59b13de0965a8b2db88f9078b2e7d4058074e710895715e80d5f2d0292e61e5e6d36ff9027e67655313d85a39c907c8e812388e774fe9d

Download Submit
C:\Windows\SysWOW64\Laglkb32.exe

Filesize
669KB

MD5
baa515d3985141ad1406997adde0ae5b

SHA1
231ca2132003ceb78ed7084d8ae8ae8c92a4c424

SHA256
f149859743104c133b904948deea2429c97edbd8e8f7d5efba2a334ea894de1c

SHA512
1670793f0c9a77f72b59b13de0965a8b2db88f9078b2e7d4058074e710895715e80d5f2d0292e61e5e6d36ff9027e67655313d85a39c907c8e812388e774fe9d

Download Submit
C:\Windows\SysWOW64\Nmbhgjoi.exe

Filesize
669KB

MD5
27495adc96a27c6f23f86055b5f75406

SHA1
d78a28560ac84794bf0a36dae58e985c697e0971

SHA256
668e9042f1ea0c56d698c8b7e83c5fa39c5b730e913279806030f9854d9477fd

SHA512
6f329320d26ecabd31d94112ee07cd0d5dcae370f911f2555763b015aeb18173d21c63c12d54a417b58cbcdf5b00ac8a59a10ba200a2089077dfb2c749a24e45

Download Submit
C:\Windows\SysWOW64\Nmbhgjoi.exe

Filesize
669KB

MD5
27495adc96a27c6f23f86055b5f75406

SHA1
d78a28560ac84794bf0a36dae58e985c697e0971

SHA256
668e9042f1ea0c56d698c8b7e83c5fa39c5b730e913279806030f9854d9477fd

SHA512
6f329320d26ecabd31d94112ee07cd0d5dcae370f911f2555763b015aeb18173d21c63c12d54a417b58cbcdf5b00ac8a59a10ba200a2089077dfb2c749a24e45

Download Submit
C:\Windows\SysWOW64\Oggllnkl.exe

Filesize
669KB

MD5
ea597a261b97074f0be1c195faf9ac27

SHA1
d1f260c886e27aec5ba3010c753a6184dcb3784e

SHA256
8851da53ac05dce31041a36691294677dd7d52b4c7abebc6f439f2138b52de5f

SHA512
4b16a9ca221986cc3838aaff085d955055e22af4a1759d44ae85f807e4aaa445ae1651c4e0d62e63f44527b70fe17adef63fa7105f114f0ab322207478bf87c6

Download Submit
C:\Windows\SysWOW64\Oggllnkl.exe

Filesize
669KB

MD5
ea597a261b97074f0be1c195faf9ac27

SHA1
d1f260c886e27aec5ba3010c753a6184dcb3784e

SHA256
8851da53ac05dce31041a36691294677dd7d52b4c7abebc6f439f2138b52de5f

SHA512
4b16a9ca221986cc3838aaff085d955055e22af4a1759d44ae85f807e4aaa445ae1651c4e0d62e63f44527b70fe17adef63fa7105f114f0ab322207478bf87c6

Download Submit
C:\Windows\SysWOW64\Ohaokbfd.exe

Filesize
669KB

MD5
eb0c351adaeb161949a2942bbfc9b2ba

SHA1
d05936901d6bb596f302f756883ad3f1669862a2

SHA256
bf17e2e725bdb35ee5db40266164ab085f7acfbe8e264bb59dc6f0af55869760

SHA512
fa8546b5b1bae850ec44d2d4e05d3d88d91f1abc5dc956305ecdd39918285b195af0637fc53be56fc07c398e1bd46436b2d8d3f5aaf17d0d5bd9c4f6d09299ac

Download Submit
C:\Windows\SysWOW64\Ohaokbfd.exe

Filesize
669KB

MD5
eb0c351adaeb161949a2942bbfc9b2ba

SHA1
d05936901d6bb596f302f756883ad3f1669862a2

SHA256
bf17e2e725bdb35ee5db40266164ab085f7acfbe8e264bb59dc6f0af55869760

SHA512
fa8546b5b1bae850ec44d2d4e05d3d88d91f1abc5dc956305ecdd39918285b195af0637fc53be56fc07c398e1bd46436b2d8d3f5aaf17d0d5bd9c4f6d09299ac

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
669KB

MD5
4e931aab1e01ee82de7aa52fb5837fa4

SHA1
821986c425f74cd542bdb5ba3d326287ea99ff39

SHA256
699eb016915152dee40b957c13f588951d97f8d601d5d5827480638487879ba3

SHA512
3f686cb9ae5a3e4da0aeae663b52bb924048127e7ebf29905e4d4271819e715ca2ce05f45cc481f858fc7e518f31f8eefa4f50de7a3daa765bb4ef59e3b1796d

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
669KB

MD5
4e931aab1e01ee82de7aa52fb5837fa4

SHA1
821986c425f74cd542bdb5ba3d326287ea99ff39

SHA256
699eb016915152dee40b957c13f588951d97f8d601d5d5827480638487879ba3

SHA512
3f686cb9ae5a3e4da0aeae663b52bb924048127e7ebf29905e4d4271819e715ca2ce05f45cc481f858fc7e518f31f8eefa4f50de7a3daa765bb4ef59e3b1796d

Download Submit
C:\Windows\SysWOW64\Ohmepbki.exe

Filesize
669KB

MD5
51c0a1bc9c51910a1584d1436f8dcf38

SHA1
e939e8694568e1d2bcef2a457c47c2f750149ec8

SHA256
0f6ba14b0d875a7baccc6da543808479d2d41f39f59464c4964a2e236ea21c53

SHA512
a6216dfd21306250db27f65c4fea3c5a0576c3688d34633c3e6eb6121b0917d627c188207b55a497117364b7f07ac6cae9eb22969031bccabd6682189f8fc3ab

Download Submit
C:\Windows\SysWOW64\Ohmepbki.exe

Filesize
669KB

MD5
51c0a1bc9c51910a1584d1436f8dcf38

SHA1
e939e8694568e1d2bcef2a457c47c2f750149ec8

SHA256
0f6ba14b0d875a7baccc6da543808479d2d41f39f59464c4964a2e236ea21c53

SHA512
a6216dfd21306250db27f65c4fea3c5a0576c3688d34633c3e6eb6121b0917d627c188207b55a497117364b7f07ac6cae9eb22969031bccabd6682189f8fc3ab

Download Submit
C:\Windows\SysWOW64\Ophjdehd.exe

Filesize
669KB

MD5
13bb441a09f75721fc2322f98b8ecefd

SHA1
da0d4a7d9a9f043fa446dccf9d6811c7a7c2742b

SHA256
ed570a451abddfdd807abd19e19935d6e9fbdf6e2fae8e3676cdd99828497a07

SHA512
f56dbea33ff2096ae9b60d11590b9a89789c939df7ef9e62ba8871d315428cbde1575ac6cca00f5d90eee7241e2f2ab69ae9dc2db857ed90600d2f21a5a4f716

Download Submit
C:\Windows\SysWOW64\Ophjdehd.exe

Filesize
669KB

MD5
13bb441a09f75721fc2322f98b8ecefd

SHA1
da0d4a7d9a9f043fa446dccf9d6811c7a7c2742b

SHA256
ed570a451abddfdd807abd19e19935d6e9fbdf6e2fae8e3676cdd99828497a07

SHA512
f56dbea33ff2096ae9b60d11590b9a89789c939df7ef9e62ba8871d315428cbde1575ac6cca00f5d90eee7241e2f2ab69ae9dc2db857ed90600d2f21a5a4f716

Download Submit
C:\Windows\SysWOW64\Pncanhaf.exe

Filesize
669KB

MD5
681b22d6267c4133d7dca36070069627

SHA1
fdf5be40912d91c15ea453dd486f4f871dd817e2

SHA256
8fa35aa596381bbb1bf50288b5a0e42df74246612ff0dafc6b19cc308d4dee57

SHA512
af338257095c1991954b16b672f22c7d98ec27e8df5b12178e16385fd54b18421835c941c4c2f18733ddfc4e0716bd26d66a2db94ec8e6141bc8d17b31c22f48

Download Submit
C:\Windows\SysWOW64\Pncanhaf.exe

Filesize
669KB

MD5
681b22d6267c4133d7dca36070069627

SHA1
fdf5be40912d91c15ea453dd486f4f871dd817e2

SHA256
8fa35aa596381bbb1bf50288b5a0e42df74246612ff0dafc6b19cc308d4dee57

SHA512
af338257095c1991954b16b672f22c7d98ec27e8df5b12178e16385fd54b18421835c941c4c2f18733ddfc4e0716bd26d66a2db94ec8e6141bc8d17b31c22f48

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
669KB

MD5
ded35e1db9880f81376c3838392961db

SHA1
79e7a8e0f889be2a8de63320eb7c6b1a7f52a7f8

SHA256
6130a8980fb779dcd4278759acd90c57f91b89eec7ee2d4d401cbf1f69f2cff0

SHA512
e1b0458c964f37fe96a6b7b69408111bd13c76d3ec50403f202740888e23243e8caa6d635ec904e51cf82afce490d78ef822bd31851a59daf2e65914b6f9d75d

Download Submit
C:\Windows\SysWOW64\Pnenchoc.exe

Filesize
669KB

MD5
ded35e1db9880f81376c3838392961db

SHA1
79e7a8e0f889be2a8de63320eb7c6b1a7f52a7f8

SHA256
6130a8980fb779dcd4278759acd90c57f91b89eec7ee2d4d401cbf1f69f2cff0

SHA512
e1b0458c964f37fe96a6b7b69408111bd13c76d3ec50403f202740888e23243e8caa6d635ec904e51cf82afce490d78ef822bd31851a59daf2e65914b6f9d75d

Download Submit
C:\Windows\SysWOW64\Ppffec32.exe

Filesize
669KB

MD5
f7f52d70db148dee44a409fec3aac0b8

SHA1
0c5180c97b3b347ea942b176a9a1abf6a744ce27

SHA256
adc75760bdb560d9878198aa64d67c4411a57d15ad58e2f51868ecac998ca411

SHA512
d2fea34ce96c2a60f611634eb21b36e2e2627368e8959ebf11bf9145fec09f313265b635749788591d36b56996d692552cbb2fc2a6e94e5074b2aae56a4e8fa3

Download Submit
C:\Windows\SysWOW64\Ppffec32.exe

Filesize
669KB

MD5
f7f52d70db148dee44a409fec3aac0b8

SHA1
0c5180c97b3b347ea942b176a9a1abf6a744ce27

SHA256
adc75760bdb560d9878198aa64d67c4411a57d15ad58e2f51868ecac998ca411

SHA512
d2fea34ce96c2a60f611634eb21b36e2e2627368e8959ebf11bf9145fec09f313265b635749788591d36b56996d692552cbb2fc2a6e94e5074b2aae56a4e8fa3

Download Submit
memory/216-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads